Certificate Revocation
Certificate revocation invalidates SSL/TLS certificates before their set expiration,
often due to a compromised key. Revoked certificates can't be used to establish secure
connections.
Palo Alto Networks firewalls and Panorama use digital certificates to ensure trust
between parties in a secure communication session. When x.509 certificates are issued,
they are assigned a validity period–a start and end (expiration) date and time.
Certificates are considered valid if used during the validity period. However,
certificates can become invalid before the expiration date for the following
reasons:
- A change of name
- The operation of the service belonging to the certificate was discontinued, for
example, because there is a new service under a different name.
- Change of association between subject and certificate authority (for example, an
employee terminates employment)
- Compromise of a private key (known or suspected)
Under such circumstances, the certificate authority (CA) that issued the certificate must
revoke it.
Certificate revocation refers to the process of invalidating a
certificate before it expires.
A party that presents a revoked certificate is not trustworthy. Revoked certificates
can't be used to establish secure connections. When a certificate is part of a chain,
the firewall or Panorama checks the validity of every certificate in the chain except
the root CA certificate, for which it cannot verify revocation status. Some browsers
also check for revocation and display warnings to users or refuse the connection. This
process is called certificate revocation checking. This prevents potential
security breaches and protect users from accessing untrustworthy websites or
services.
Configure the firewall or Panorama to verify the
revocation status of certificates that it uses for device or user authentication.
The firewall and Panorama support the following methods for verifying certificate
revocation status:
- Certificate
Revocation List (CRL)—A CRL is a list of revoked certificates, identified
by serial number, that have been issued and then subsequently revoked by the CA.
CRLs are typically published periodically or can be published only when a
certificate is revoked by the CA.
- Online Certificate
Status Protocol (OCSP)—OCSP is an internet protocol used for obtaining
the revocation status of an x.509 certificate. The protocol defines the type of data
that is exchanged between the requester of the revocation status (OCSP client) and
the server (OCSP responder) providing the revocation status information. Certificate
revocation information is provided by the OCSP responder through an OCSP response.
If your network deployment consists of a web proxy, you can
use this method to validate certificates even if your network deployment
consists of a web proxy. All OCSP requests and responses will pass through your
proxy server. See Enable an HTTP Proxy for OCSP Status Checks.
If you configure both methods, the firewall or Panorama first tries the OCSP method; if
the OCSP server is unavailable, it uses the CRL method. If your enterprise has its own
public key infrastructure (PKI), you can configure the firewall to function as the OCSP
responder. what
Enable certificate revocation checking in certificate profiles,
which define user and device authentication for Authentication Portal,
GlobalProtect, site-to-site IPSec VPN, and web interface access to the firewall or
Panorama.